Perimeter

3/15/2017
02:30 PM
Hector Menendez
Hector Menendez
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

Trust Begins With Layer 1 Encryption

In today's distributed environment, cloud and communication service providers can play a key role in providing organizations with a scalable and secure platform for the connection of everything to everything. Here's how.

At which network layer should we handle security of in-flight data? Some argue the application layer is most appropriate because this is where the user’s personal data, semantics and security requirements reside. Others argue that security should start in the network and physical layers, protecting even the protocol information involved in moving data — implementing encryption as deeply as possible, even at Layer 1. This is particularly true for Internet of Things (IoT) traffic where data generated is never at rest.

Depending on security requirements, both are correct. Security at different levels can be complementary and collectively enhance security. Cybercrime is now costing companies over $400 billion annually. According to Gemalto’s breach level index, since 2013, security breaches have resulted in the loss or theft of an estimated 5.9 billion data records from enterprises worldwide. That’s about 47 records every second. Of course, if records are encrypted, stolen information is useless. But that is only happening 4%  of the time! So, while application layer security is a great idea, other layers of protection are also needed.

Regulated industries, such as healthcare and financial services, suffer the most costly data breaches due to fines and a higher-than-average rate of lost business. Last year, the average cost per incident was $4 million, according to a 2016 Poneman Institute study. Organizations recognize that the longer it takes to detect and contain a data breach the more costly it becomes to resolve.

Enterprises have traditionally relied on perimeter security in the form of firewalls, DMZs and other technologies. However, as they turn increasingly to cloud-based enterprise services, perimeter security is no longer sufficient. Their enterprise-critical data is distributed far beyond the organization’s boundaries. But doesn’t this evolution from enterprise perimeter security to wide-area networking and cloud services increase the degree of risk for enterprises?

Contrary to some opinion, this move to the cloud is likely to make most enterprises more secure. It is important to remember that Layer 1 security starts with ensuring the physical security of all the various network elements and facilities. Communication Service Providers (CSPs) and cloud providers are better equipped than most enterprises to ensure the physical security of their infrastructure, yielding an improvement to overall security. CSP network elements, for instance, are more tamper-resistant and difficult to deactivate or bypass than their enterprise counterparts. Also, the CSP can ensure the availability of network services with a robust assurance function that can provide the enterprise customer with much greater security than the typical enterprise network provides. It is a similar situation in cloud data centers.

With better physical security for network infrastructure and higher availability and uptime for network resources, the next level of protection is through network traffic encryption. Best practices call for a holistic security approach that includes a multi-layered, “defense-in-depth” strategy.

Encryption is costly at higher network layers. Layer 1 encryption reduces the cost per encrypted bit by integrating the encryption function into the transport system. Encryption at higher layers also adds significant overhead and data stream latency. In contrast, Layer 1 encryption adds almost no additional overhead or latency to the transport process. Hardware-based Layer 1 encryption solutions enable very high bandwidth with encryption of 10 or 100 Gbps wire speeds and higher. This is especially critical for services that require real-time traffic management to uphold service level agreement (SLA) requirements for application disk access and rich content delivery such as video and voice calls.

Of course, the encryption algorithm must rely on strong, quality keys. For “top secret” data requiring 256-bit strength, a strong AES-256 algorithm with 256-bit key size should be used. And the keys should come from a key generator that produces a truly random, quality key to match the strength of the encryption algorithm.

Key management, exchange and authentication can be labor-intensive and cumbersome when there are many separate encryption devices and encryption streams to manage. By centralizing key management, the CSP can ensure a single point of trust and consistent policy enforcement. It also streamlines administration by allowing updates to be made once, and cascaded automatically across the network. This enables single-point key revocation and one-point-to-force, multi-tenant synchronized key rotations.

Enterprises should feel more confident about distributing their applications across the wide area and utilizing cloud-based services. The new distributed, cloud model is changing many aspects of our digital world, perhaps none more so than the key role that CSPs play to provide a global, scalable and secure platform for the connection of everything to everything. Layer 1 security is the foundation for confidence and trust in securing data while in-flight.

Related Content:

 

Hector is focused on optical networking solutions. In this role, he develops and markets service provider solutions on topics including mobile fronthaul, mobile backhaul, and secure optical transport. Hector has over 25 years of telecommunications experience and has held a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-10008
PUBLISHED: 2019-04-24
Zoho ManageEngine ServiceDesk 9.3 allows session hijacking and privilege escalation because an established guest session is automatically converted into an established administrator session when the guest user enters the administrator username, with an arbitrary incorrect password, in an mc/ login a...
CVE-2019-9950
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an authentication bypass vulnerability. The login_mgr.cgi file checks credentials agains...
CVE-2019-9951
PUBLISHED: 2019-04-24
Western Digital My Cloud, My Cloud Mirror Gen2, My Cloud EX2 Ultra, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100, My Cloud DL4100, My Cloud PR2100 and My Cloud PR4100 firmware before 2.31.174 is affected by an unauthenticated file upload vulnerability. The page web/jquery/uploader/uploadify.php...
CVE-2018-10055
PUBLISHED: 2019-04-24
Invalid memory access and/or a heap buffer overflow in the TensorFlow XLA compiler in Google TensorFlow before 1.7.1 could cause a crash or read from other parts of process memory via a crafted configuration file.
CVE-2018-7577
PUBLISHED: 2019-04-24
Memcpy parameter overlap in Google Snappy library 1.1.4, as used in Google TensorFlow before 1.7.1, could result in a crash or read from other parts of process memory.